,net Users IIS

[coder316]

Hello,
I just need some clarification:
I added a user to the Membership Table using the CreateUserWizard.
His name is "Bob"

IIS7 shows "Bob" in the .NET Users.
"Bob" is not in the web.config, but the status bar says its getting it
from the web.config.


Where was Bob given authorization if not in the web.config?
and why does IIS say its getting his name from there?

Thanks

 

[Gregory A. Beamer]

I just need some clarification:
I added a user to the Membership Table using the CreateUserWizard.
His name is "Bob"

Membership table? As in a membership table created in SQL Server
Express? If so, that is where Bob is.

IIS7 shows "Bob" in the .NET Users.
"Bob" is not in the web.config, but the status bar says its getting it
from the web.config.

You have me lost here. I am not sure what you mean when you say IIS7 is
showing Bog is not in the web config, but the status bar says he is in
the web.config.

web.config stores certain variables, but not user account information
(okay, perhaps you could create one that does that, but it is not the
default or even "normal"). It does contain a connection string to get to
the database.

Where was Bob given authorization if not in the web.config?
and why does IIS say its getting his name from there?

I am not certain it is saying that, but Bob's account is in a database.
If you went with all of the defaults, you installed SQL Express when you
installed Visual Studio and the tables are there.

peace and grace,


--
Gregory A. Beamer (MVP)

Twitter: @gbworld
Blog: http://gregorybeamer.spaces.live.com

*******************************************
| Think outside the box! |
*******************************************

 

[coder316]

Membership table? As in a membership table created in SQL Server
Express? If so, that is where Bob is.


You have me lost here. I am not sure what you mean when you say IIS7 is
showing Bog is not in the web config, but the status bar says he is in
the web.config.

web.config stores certain variables, but not user account information
(okay, perhaps you could create one that does that, but it is not the
default or even "normal"). It does contain a connection string to get to
the database.


I am not certain it is saying that, but Bob's account is in a database.
If you went with all of the defaults, you installed SQL Express when you
installed Visual Studio and the tables are there.

peace and grace,

--
Gregory A. Beamer (MVP)

Twitter: @gbworld
Blog:http://gregorybeamer.spaces.live.com

*******************************************
|      Think outside the box!             |
*******************************************

Greg,
Thanks
I am not using express, I am using a Db on my host.
I thought that the name or Role had to be in <authentication> in the
web.config for the user to be able to see the page. Anonymous users
are denied.
I have <allow> for users but Bob is not one of them.
<authorization>
<deny users="?"/>
<allow users="mary"/>
<allow users="todd"/>
</authorization>

 

[Gregory A. Beamer]

I am not using express, I am using a Db on my host.
I thought that the name or Role had to be in <authentication> in the
web.config for the user to be able to see the page. Anonymous users
are denied.
I have <allow> for users but Bob is not one of them.
<authorization>
<deny users="?"/>
<allow users="mary"/>
<allow users="todd"/>
</authorization>

Okay, now I understand. So you are testing if Bob has access and he
does, despite not allowing him in the web.config?

What is happening is you are not denying all users, you are merely
saying, question whether the user has an account. That is what the deny
statement in question is:

<deny users="?"/>

You can change to

<deny users="*"/>

and then explicitly add mary and todd, as you have. This might help
understand the mechanism a bit:
http://msdn.microsoft.com/en-us/library/wce3kxhd.aspx

I have to test, but I believe ordering is important. you can also
explicitly deny Bob, but that is not very maintainable, unless Bob is
always the only one denied.

Personally, I prefer using roles instead of users.

NOTE: There are a few ways to initiate page security, depending on how
much you need.

1. Web.config
2. Sitemap - if using a menu/breadcrumb (note: does not stop user from
getting to something, necessarily, but hides the location)

With security trimmings on with a sitemap, it will respect the security
settings in web.config, as well (ie, not show user links he does not
have access to). This means, for true security, web.config is the way to
go.

NOTE: You can exclude pages from the mix by setting them up in the
config as exceptions. This is useful when the entire site is secure and
you simply need to exclude the default page and login page from the mix.

NOTE: You can secure subdirectories with their own web.config while
leaving the root open to everyone. This is very useful when you have
some secure pages and not others.

Peace and Grace,

--
Gregory A. Beamer (MVP)

Twitter: @gbworld
Blog: http://gregorybeamer.spaces.live.com

*******************************************
| Think outside the box! |
*******************************************

 

[coder316]

Okay, now I understand. So you are testing if Bob has access and he
does, despite not allowing him in the web.config?

What is happening is you are not denying all users, you are merely
saying, question whether the user has an account. That is what the deny
statement in question is:

<deny users="?"/>

You can change to

<deny users="*"/>

and then explicitly add mary and todd, as you have. This might help
understand the mechanism a bit:http://msdn.microsoft.com/en-us/library/wce3kxhd.aspx

I have to test, but I believe ordering is important. you can also
explicitly deny Bob, but that is not very maintainable, unless Bob is
always the only one denied.

Personally, I prefer using roles instead of users.

NOTE: There are a few ways to initiate page security, depending on how
much you need.

1. Web.config
2. Sitemap - if using a menu/breadcrumb (note: does not stop user from
getting to something, necessarily, but hides the location)

With security trimmings on with a sitemap, it will respect the security
settings in web.config, as well (ie, not show user links he does not
have access to). This means, for true security, web.config is the way to
go.

NOTE: You can exclude pages from the mix by setting them up in the
config as exceptions. This is useful when the entire site is secure and
you simply need to exclude the default page and login page from the mix.

NOTE: You can secure subdirectories with their own web.config while
leaving the root open to everyone. This is very useful when you have
some secure pages and not others.

Peace and Grace,

--
Gregory A. Beamer (MVP)

Twitter: @gbworld
Blog:http://gregorybeamer.spaces.live.com

*******************************************
|      Think outside the box!             |
*******************************************

Thanks, that explaned it well.